►
From YouTube: CNCF Security TAG Regular Meeting 2022-01-19
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Any
agenda
items
that
you
would
like
to
bring
up
because
there's
nothing
on
the
agenda
per
se.
Well,
we
can
start
with
the
working
group
updates
and
then,
if,
in
the
meantime,
something
comes
to
mind,
please
add
it
to
the
agenda.
Yes,.
A
Okay,
so
let's
start
with
the
working
group
updates
who
wants
to
go
first,
do
we
have
anyone
from
supply
chain
working
group.
C
A
D
D
Yeah
one
update
related
to
that
I
wanted
to
rather
like
get
feedback
from
the
supply
chain
group.
This
ties
in
with
the
white
paper
work
we've
been
doing
for
version
2.,
so
there
were
some
comments
from
I
think,
frederick
and
marina
about
what
can
we
add?
That
is
complementary
to
the
supply
chain
paper
in
the
version
2
of
the
white
paper,
so
some
thoughts
they
were
sharing
was.
D
How
can
I
benefit
from
it
and
what
are
the
things
like
cv
related
info
that
comes
out
of
fast
bomb
or
some
other
workload?
Identity
related
stuff
that
comes
out
would
be
useful.
So
that
was
one
of
the
suggestions,
I
think
maybe
marina
is
here
or
no,
maybe
not,
but
I
just
wanted
to
get
feedback
from
the
folks
who
wrote
that
paper
and
see
if
they
have
any
thoughts.
C
D
Yeah,
so
it's
it's
really
up
to
us
to
decide
what
I
heard
from
both
of
them.
Who,
unfortunately,
aren't
there
today
is
we
haven't
written
much
about
how,
as
an
end
user,
I
can
benefit
from
a
secure
supply
chain,
apart
from
obviously
having
like
a
secure
supply
chain,
so
that
piece
is
was
missing
and
if
that
can
be
put
in
version
2,
that
would
be
beneficial
and
worst
case.
We
just
put
a
two-line
summary
and
say
for
more
info:
go
to
the
supply
chain
paper.
C
Version
two
of
the
cloud
native
security
right,
yeah
and,
and
the
idea
of
the
map
is
to
help
people
figure
out
a
trajectory
in
what
order
should
they
adopt
technologies?
What
questions
should
they
be
making?
What
what
to
what
to
leverage
right?
So
from
from
what
I
on
I'm
presuming
without
having
it
in
front
of
me
and
not
having
looked
at
things
since
the
proposal
for
for
updating
it.
C
Should
you
map
the
supply
chain
sure
like
and
you
can
like
leverage
the
reference
architecture
or
the
best
practices
to
say
hey
when
you're,
when
you're
deploying
a
like
modern
application
platform,
that
is
cloud
native,
you
should
pay
attention
to
the
supply
chain.
Maybe
it's
worth
out.
Mapping
like
there's
some
tables
in
the
reference
architecture
that
that
say,
hey
these
are.
These
are
the
most
feature,
complete
technology
solutions
for
the
different
building
blocks
of
the
supply
chain.
C
D
Okay,
okay,
that
makes
sense
yeah
just
to
be
clear.
This
was
for
version
two
of
the
cloud
native
security
white
paper,
but
map
will
benefit
from
it
for
sure.
So.
Okay,
so
seems
like
the
at
least
in
with
the
people
we
have.
The
idea
seems
like
is
just
link
it
to
the
reference
architecture
and
the
paper,
and
then
let
people
pick
up
whatever
is
useful
from
there.
Well.
C
If
it's,
if
it's
the
white
paper,
it
might
be
annoying
if
you
just
redirect
people
to
read
something
extra
right,
it's
like
well.
This
is
the
one
thing
I
I
wanted
to
read
to
you
like
a
high
level
overview.
Yeah
of
the
parts
and
pieces
I
mean
you,
can
you
can
write
whatever
you
want
to
write
about
the
supply
chain
as
long
as
it's
accurate,
you
don't
need
to
like
copy
paste,
something
from
the
other
things
or
say.
Go
read
that
like
sounds
like
you're.
D
A
A
D
Yeah
so
good
point,
I
think
my
perspective
on
that
is
any
organization
or
team
that
is
consuming
a
cloud
native
product
that
is
built
using
a
secure
supply
chain
is
an
end
user,
so
in
general,
like
all
typical
end,
users
like
banks
and
financial
industries
and
other
technology
companies
that
are
not
selling
cloud
native
products,
but
are
consuming
them.
C
A
C
So
you
could,
you
could
just
call
it
off
say:
hey!
This
is
building
back
on
version.
One
and
supply
chain
is
out
of
the
scope.
I
do
think
for
like
a
complete
white
paper
of
cloud
native
security,
you
need
to
talk
about
the
secure
supply
chain,
yeah,
yeah
yeah,
and
you
should
give
it
like
a
nernous
shot
and
writing
like
a
novel.
Take
that
fits
the
narrative
of
the
white
paper
right,
there's
so
many
publications
and
so
many
other
resources.
E
D
C
E
Terms
of
benefits-
I
guess
one
thing
that
might
be
people
may
be
looking
for-
is
that
they're
selling
secure
supply
chain
so
they're
in
in
their
industries,
they're
in
a
bank
and
they're
saying
to
the
I.t
director,
hey,
look.
We
need
you
to
pay
more
attention
to
this.
It's
answered
the
question.
Why
and
obviously
we
can
all
say
yeah.
We
know
why
that's
like
you
know,
but
if
I,
if
I'm
trying
to
sell
to
a
cio
or
a
cto,
I
can
say
hey
the
cncf
say
the
benefits
of
focusing
on
your
supply.
E
Secure
supply
chain
are
these
things.
This
is
why
we
think
you
should
do
this
and
it's
kind
of
like
the
appeal
to
authority,
so
they
can
essentially
appeal
to
cncf
as
an
authority
and
okay.
Maybe
people
should
never
do
that,
but
it
kind
of
helps.
If
you
say
look,
it's
not
just
me.
The
security
person
telling
you
this.
It's
this
industry
group
who
are
telling
you
this
I'm
guessing.
That
might
be
the
kind
of
thing
they're
thinking
for
end
user
companies
might
help
them.
D
Yeah,
I
think
that's
a
solid
point,
that's
what
kind
of
using
that
as
a
pivot
and
writing
the
content
in
the
actual
paper.
Based
on
that.
C
You
know
along
those
lines.
It
might
also
be
good
to
to
state
that
there
are
that,
there's
more
than
just
our
like.
We
recognize
that
there's
more
than
cloud
native
to
like
securing
the
software
supply
chain
and
that
there
are
other
groups
and
organizations
driving
positive
change
and
filling
the
the
gaps
so
doing
a
call
out
like
high
level
lf
like
open,
ssf,
stuff,
right
and
calling
out
those
initiatives
might
be
like
beneficial.
D
D
G
A
Yeah,
okay,
thank
you
to
that
effect.
I
do
want
to
share
with
you
that
we
had
that
discussion
with
csa
and
memorandum
of
understanding
is
under
legal
review
by
cncf
once
that
is
finalized,
I
will
schedule
a
meeting
with
the
cloud
controls
matrix
team
in
csa
and
our
security
controls
mapping.
So
we
can
start
mapping
out
cloud
native
controls
to
all
these
standards
and
I'll.
That
will
also
satisfy
an
issue
that
brandon
had
created.
It's
called
it's
issue
number
836.
A
I
think
it's
on
auditability
for
cloud
native
controls,
so
we
can
have
a
mapping
of
the
controls
and
then
use
oscal
to
build
those
detection
and
violation
of
those
controls
as
well.
So.
C
A
Up
discussions
on
that
I
will
set
up
john
zola
is
out
so,
but
I'm
trying
to
find
time
where
we
can
have
a
discussion
with
csa
on
this
topic.
G
Right
so
one
of
the
questions
in
our
controls
meeting
last
time
was
like
do
we
continue
working
on
the
tasks
which
we
were
supposed
to,
or
do
we
wait
till
the
the
csa?
Partnership
is
complete
and
then
we
formalize
like
what
csa
will
do
and
what
we
will
do
as
a
part
of
the
white
paper.
A
So
I
think
the
the
discussion
was
the
decision
we
took
was
that
whatever
controls
you're
mapping
from
the
white
papers,
let's
finish
that
as
phase
one
phase,
two
will
be
where
we
expanded
to
you
know
other
nest
controls
how
how
do
they
apply
to
a
cloud
native
platform
right.
A
Okay
for
the
serverless
working
group,
we
have
a
meeting
later
today
over
the
holidays.
Some
people
have
added
some
content
to
the
white
paper.
We're
gonna
decide
what
we're
gonna
do,
whether
we
are
going
to
keep
it
as
a
separate
paper,
or
we
want
to
integrate
it
into
the
cn
cloud
native
security,
whitepaper
version
too,
and
depending
on
the
quality
of
the
content,
I
guess
so.
I
had
requested
a
few
folks
to
go
review
it
as
well.
A
I
haven't
looked
at
it,
so
I
will
check
today
to
see
if
there
are
any
additional
comments
about
the
quality
of
the
content
there
so
go
from
there.
That
is
what
is
about
serverless
working
group,
any
other
working
groups
who
want
to
provide
any
updates,
or
am
I
missing
anyone.
B
Good
day
is
my
audio
coming
through
yes
good
day
loud
and
clear.
Thank
you
so,
good
day,
everyone
it's
been
a
while,
since
I've
been
on
these
meetings,
regrettably
just
hard
to
find
that
work,
slash,
take
security,
balance
there,
sometimes
with
meetings
but
anyways.
So
john
gonzale
and
I
are
leading
the
review
for
that
and
I
was
able
to
pull
in
some
individuals
who
volunteered
via
the
github
ticket
and
tag
security
for
the
argo
review.
B
But
I
didn't
besides
john
and
myself
and
the
argo
team,
I
wasn't
able
to
get
many
really
get
some
additional
people
to
come
into
the
sync
up
meetings
we
had
and
now
that
we've
wrapped
up
the
naive
question
period,
we're
starting
to
slice
this
up.
It's
actually
a
rather
large
one,
it's
more
or
less
four
sub
reviews
for
argo
components
that
make
up
the
big
overall
arching
review
as
a
whole,
so
we've
dealt
with
logistics
and
how
we'll
combine
them
and
save
time
and
whatnot.
B
But
we
need
reviewers
for
the
argo
assessments,
just
a
in
general
and
b,
since
it's
rather
large,
so
I'm
trying
to
drum
up
interest
or
see
if
I
can
ping
a
few
people
one-on-one
without
haranguing
them,
but
yeah.
If
we
can
get
some
more
eyes
more
viewers
on
that,
it
would
be
key
because,
at
least
from
the
tag
security
perspective.
I
believe
it's
just
john
and
myself
at
this
point.
If
there's
someone
who's
been
in
the
meetings
and
I've
been
oblivious
to
it,
pardon
if
I've
missed
you.
F
And
matthew,
can
you
just
reiterate:
these
are
four
separate
projects
that
we're
trying
to
review
as
part
of
the
argo
project?
Isn't.
B
So
from
their
perspective,
it's
one
product
for
lack
of
air
tournament
and
it's
composed
of
four
sub
projects:
virgo,
continuous
delivery,
argo
events,
argo
workflows
and
argo
rollouts,
so
they're
all
four
distinct
components
and
we've
identified
points
of
contact
like
owners
from
the
argo
team
for
each
of
those
four
components,
and
we've
also
identified
the
relevance
of
security
to
each
of
them
and,
in
short,
I
would
say
they're
all
equal
peers.
B
They
security
from
their
sort
of
opinion,
was
each
of
those
four
components:
the
significance
of
security
to
it
as
a
function
and
a
functionality
product
and
its
value
is
nine
out
of
ten
very
relevant
and
pretty
much
equal
amongst
all
of
them.
The
only
distinction
is,
some
of
them
would
have
larger
attack
surfaces
than
others
just
due
to
the
nature
of
the
tool,
but
for
like
a
very
term,
security
is
a
first-class
citizen
for
all
of
them.
So
that's
why
they're
so
keen
on
the
going
through
this
process.
F
Okay,
thanks
for
the
context,
matthew
and
so
do
we
have
leads
for
these
four
sub
projects,
or
are
we
looking
only
for
reviewers
at
this
point.
B
Reviewers,
the
gist
of
it
is,
is
john
and
I
are
lead
or
the
two
leads
associated
with
this,
and
we
need
to
pull
in
more
reviewers
to
slicing
up
the
the
actual
work
and
the
reviews.
Now
that
we've
wrapped
up
the
naive
questions.
B
I,
for
starters,
I
could
put
a
link
right
here
in
the
chat
and
anywhere
else.
We
feel
that
it's
relevant
to
put
it
whether
it's
slack
or
tell
your
friends,
tell
your
parents
sort
of
thing.
I
can
provide
the
link
to
there
and
people
can
just
add
a
comment.
Saying
hey
I'd
like
to
join
in
the
argo
review,
github
ticket
or
issue,
and
then
I
can
just
follow
up
immediately
just
copy
paste,
the
template
for
hey.
B
Can
you
please
fill
out
the
conference,
inspiration
and
that's
pretty
much
it
or
I
could
also
post
the
link
to
the
slack
chat.
People
can
ping
me
there
I'll
still
ask
for
a
copy
of
the
conflict
of
interest
sign
off
as
part
of
the
github
ticket,
but
either
just
pretty
much.
Whichever
way,
github
or
slack
allows
people
to
reach
out
to
us,
we
get
their
sign
off
and
we
loop
them
in
as
soon
as
possible.
B
Absolutely
if,
if
you
may
take
one
more
minute,
there's
one
interesting
thing
we
did
with
this
approach
here,
which
I
think
is
kind
of
neat.
B
In
short,
since
it's
four
sub
reviews,
the
reviews,
I
suspect,
will
be
individually
smaller
than
like
one
big
typical
project,
but
just
merging
them
back
and
forth
to
google
docs
back
to
markdown,
especially
with
four
of
them.
They
have
to
merge.
Together,
we
took
a
slightly
different
approach
than
usual,
we're
keeping
all
the
assessments
in
markdown
format
and
the
argo
team
using
their
own
private,
github,
repo
or
their
own
private
instance
of
it.
B
It
created
essentially
a
pull
request
for
each
one
and
we're
putting
all
of
our
comments
in
the
get
pull
request,
rather
than
in
a
google
doc
using
google
docs
comment
and
review
functionality.
B
So
we
made
that
change
and
then
the
other
is
we're
trying
to
minimize
the
number
of
sync
up
meetings
and
do
a
mostly
asynchronous
model.
Just
because
the
idea
is
different,
geos
different
time
zones
so
cut
down
on
the
sink
meetings
and
just
do
more
of
a
developer-centric
model
than
I
have
at
least
with
the
last
couple
ones.
I
like
it
so
far,
but
we'll
see
how
well
it
works
out
at
the
end
of
all
this.
B
That's
pretty
much
it
for
me.
If
there's
no
further
questions,
I
will
go
on
mute
and
go
grab
the
github
ticket
link
and
put
it
in
the
chat
here.
Let's
post
it
thanks
john
there
we
have
it
oh
well,
one
other
thing,
john,
was
courteous
enough
to
provide
us
with
a
zoom
bridge
for
our
rainy
meetings.
B
I
don't
know
if
it's
an
option
or
not,
but
I'm
wondering
if
there's
some
sort
of
pool
that
cncf
would
be
willing
to
give
outside
of
these
sort
of,
like
our
tag,
security
recorded
meetings,
I'm
wondering
if
there's
a
means
or
a
budget
for
just
a
handful
or
a
pool
of
private
zoom
accounts.
So
if
we
want
to
do
like
discreet
security
review
meetings,
where
we
don't
want
it
necessarily
public
record,
we
can
grab
from
that
rather
than
reusing
an
individual's
resources.
C
I
I
cannot
tell
you
what
certainty
if
there
is
or
not
what
would
be
helpful
if
you
have
an
estimate
of
how
many
accounts
under
what
plan,
how
much
it
would
cost.
We
can
present
the
case,
we'll
open
up
a
service
desk
ticket
and
it
could
be
yes
or
no,
but
they're
gonna.
Ask
us
like
hey:
how
much
are
you
asking
for.
B
C
Yeah
and
you
would
control
like
who
you
shared
those
links
with
or
make
it
like,
invite,
only
meaning
right
got
it
yeah
and
you
could
like
pipe
it
to
a
different
like
hey,
don't
upload,
this
meeting
to
youtube
type
of
thing.
B
Yeah
yeah,
we
like
we
even
already
have
like
sort
of
a
quick
meeting
sync
up
at
the
beginning.
Like
are
we
gonna
record
this
year
and
a
okay?
You
know
in
case
our
kids
photobomb
the
recording
or
something.
C
Yeah,
hey,
you
guys
are
working
on
argo.
I
I
know
that
argo
and
flux
interoperate
somewhat
a
guy
from
flux,
came
to
the
tax
security
channel.
On
slack
asking
for
hey,
we
did
an
audit.
The
audit
team
advised
to
engage
with
tax
security
to
help
design
the
user
subsystem
for
vlogs.
So
I
I
think
it
if,
like
you,
guys,
have
family
already
like
depending
of
like
breadth
and
depth
and
like
what
what
type
of
help
are
they
looking
like
how
involved
maybe
like?
C
Well,
we
have
them
do
an
initial
design
and
we
put
it
on
their
assessments.
Maybe
they
need
someone
to
play
more,
an
architect
role
and
we
could
give
them
like
a
security
pal
like
an
elevated
security
pal.
To
do
that,
I
asked
them
to
write
down
more
details
and
open
an
issue,
but
I
think
we
can
tackle
this
one,
a
few
different
ways
to
help
them
out,
but
yeah,
just
heads
up.
B
I
guess
out
of
pockets
like
for,
like
a
very
term
commercial,
like
audit
of
what
they
have
going
on
and
now
their
intent
is
to
make
sure
they're
pretty
much
going
through
the
appropriate
process
so
that
they,
on
top
of
their
own
like
audit,
they
can
get
the
cncf
blessing
sign
off
that
it's
graduated
and
whatnot,
so
they
they
they've
got
their
acting
gear
from
what
I've
been
seeing.
Thus
far.
Oh
that's
awesome.
C
On
the
assume
accounts,
george
says
yeah
cncf
to
take
it
as
the
preferred
method.
Whenever
in
question,
ask
george
that
that's
my
rule.
F
B
H
I
just
got
a
comment
from
emily
on
the
pal
issues,
so
I'm
gonna
open
a
pr.
I
put
some
updates
in
there
where
the
ticket
go.
I
put
some
updates
into
a
ticket
last
week
and
got
her
to
take
a
look-see,
so
I'm
going
to
open
the
apr
to
sort
of
more
make
a
more
official
version
of
the
pal
and
that'll
start
going
through.
So
once
we
have
that
I'll,
probably
put
a
ticket
number
into
a
upcoming
meeting.
D
D
Yeah
I
can
give
some
context
so
fred.
Remember:
we
exchanged
some
dms
on
the
cloud
native
security
white
paper
version
2,
where
you
were
wondering
whether
we
could
add
some
stuff
about
workload,
identity
or
supply
chain
in
that,
in
addition
to
what's
already
in
the
supply
chain
white
paper,
so
just
wanted
to
help.
D
You
share
your
thoughts
and
get
some
feedback
from
the
community
on
whether
that
would
make
sense
so
far
what
we
discussed,
it's
basically
been:
let's
keep
it
high
level
to
why
we
need
to
do
it
versus
going
really
deep
into
that
next
time.
C
So
the
discussion
is
more
like
to
to
answer
the
question
of
like.
Should
you
include
it?
It's
like
yeah,
you
should
include
it.
It's
entirely
up
to
you
as
the
paper
owners
like
how
much
you
expand
and
elaborate
on
it.
C
D
D
What
I
was
trying
to
get
at
is:
let's
get
feedback
from
the
authors
of
supply
chain
paper,
so
we
don't
end
up
kind
of
mixing
things
and
so
make
it
make
sure
that
the
content
is
benefiting
by
the
existence
of
the
supply
chain
paper
and
vice
versa.
C
Yeah,
I
I
don't
think
there'd
be
overlap
with
that
you'd
be
duplicating
content.
If
you're
write
a
section
of
like
cloud
native
security
white
paper
to
talk
about
supply,
chain
security
and
also
say
hey
a
full
depth
view
of
this
is
out
of
the
scope
of
the
white
paper.
There's
other
resources
we
have
published
on
the
subject.
F
Okay
and
my
primary
concern
is
someone
reads
through
the
cloud
native
security
white
paper
implements
judiciously
all
of
the
controls
and
says:
okay,
I'm
done,
and
so,
while
missing
the
supply
chain
as
a
key
thing
that
we've
been
actively
focusing
on.
So
I
think
setting
the
structure
there
and
then
handing
off
saying
here's
where
you
go
find
deep
information
just
make
sure
you
have
included
for
these.
F
For
these
top
values
you
get
out
of
it
for
in-depth
discussion.
Please
see
this
paper
for
for
supply
chain
for
for
for
the
supply
chain
portion,
so
I
can
even.
C
Hint
that
there's
more
than
that
right
because,
like
our
reference
architecture,
really
hones
on
build
components,
but
it
doesn't
cover
like
an
end-to-end
set
of
controls
for
a
supply
chain,
like
whatever
nist
853,
has
on
on
supply
chain
or
things
that
may
be
more
in
the
purview
of
open
ssf.
So
hinting
that
there's
like
a
broader
landscape
might
also
be
beneficial
for
the
reader.
There.
F
So
I
do
need
to
drop
for
another
call,
but
if,
if
that's
an
area
that
you
find
of
interest,
I'm
happy
to
contribute
in
that
space.
For
that
topic.
So-
and
we
have
the
conversations
externally
for
for
for
that-
which
I
think
led
to
this
question,
but
yeah
thanks
for
thanks
for
raising
your
the
closure.
Yeah
thanks
for.